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gateway devices and a zone node corresponding to each of said zones. 

29. (Amended) A computer readable medium having computer readable program 
code means embodied thereon, said computer readable program code means comprising: 

a step to identify each gateway device in a network having a packet-filtering rule-base 
and each zone in said network defined by said gateway devices; and 

a step to generate a gateway-zone graph that models said network based on said 
packet-filtering rule-base, said gateway-zone graph having a gateway node corresponding to each of 
said gateway devices and a zone node corresponding to each of said zones. 
10 

REMARKS 

The present application was filed on January 18, 2000 with claims 1 through 29. 
Claims 1 through 29 are presently pending in the above-identified patent application. Claims 1, 9, 
12, 19, and 27-29 are proposed to be amended herein. 

15 In the Office Action, the Examiner rejected Claims 1 through 29 under 35 U.S.C. 

§103 (a) as being unpatentable overReidet al. (United States Patent Number 6,182,226), and further 
in view of Flint et al. (United States Patent Number 6,453,419). 

The present invention is directed to a method and apparatus for analyzing the 
operation of one or more network gateways, such as firewalls or routers, that perform a packet 

20 filtering function in a network environment. Given a user query, the disclosed firewall analysis tool 
simulates the behavior of the various firewalls, taking into account the topology of the network 
environment, and determines which portions of the services or machines specified in the original 
query would manage to reach from the source to the destination. The relevant packet-filtering 
configuration files are collected and an internal representation of the implied security policy is 

25 derived. 

Independent Claims L 9, 12, 19 and 27-29 

Independent Claims 1,9, 12, 19 and 27-29 were rejected under 35 U.S.C. § 103(a) as 
being unpatentable over Reid et al., and further in view of Flint et al. In particular, the Examiner 
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asserts that Reid discloses a method for analyzing at least one gateway in a network. The Examiner 
further asserts that Reid generates a gateway-zone graph that models said network. 

Applicants note that Reid teaches "a visual means by which access control can be 
defined and easily understood through flowchart style diagrams." Col. 7, lines 25-27. Figure 3 is a 
5 graphical representation of Access Control Language (ACL) commands. The graphical 
representation is created by a user to define the access control rules for a given firewall. The 
graphical representation is then used to generate the access control commands which will be 
implemented by the firewall. Thus, the graph is created by the user to input rules to the firewall. 

Flint et al. was also cited by the Examiner in rejecting claims 1 through 29 for its 
10 disclosure that Flint discloses "the regions that the service bridge, and the access control decisions." 

Applicants note that Flint is similar to Reid and also teaches a graphical user interface 
for conveniently defining rules for a firewall. Again, the flowchart is created by the user to define 
the access control rules. The flowchart is then used to generate the access control commands which 
will be implemented by the firewall. Thus, the graph is created by the user to input rules to the 
15 firewall. 

Independent claims 1,12, 19, and 27, as amended, require generating a gateway-zone 
graph that models said network based on said packet filtering configuration file. Similarly, 
independent claims 9 and 28-29, as amended, require generating a gateway-zone graph that models 
said network based on said packet-filtering rule-base. Both Reid and Flint use a graphical model to 
20 generate rules for a given firewall. The present invention, on the other hand^^ierates the graphical 
model from the rules of one or more firewalls. 

Thus, Reid or Flint (alone or in combination) do not disclose or sugges^lnerating or 
analyzing a "gateway-zone graph that models said network based on said packet filtering 
configuration file," as required by independent claims 1, 12, 19, and 27, as amended, and do not 
25 disclose or suggest generating a "gateway-zone graph that models said network based on said packet- 
filtering rule-base," as required by independent claims 9 and 28-29, as amended. 

Dependent Claims 2-8, 10-1 L 13-18 and 20-26 

Dependent claims 2-8, 10-11, 13-18 and 20-26 were rejected under 35 U.S.C. § 103(a) 
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§ 103(a) as being unpatentable over Reid et al., and further in view of Flint et al. Claims 2-8, 10-11, 
13-18 and 20-26 are dependent on Claims 1,9,12, and 19, respectively, and are therefore patentably 
distinguished over Reid et al. and Flint et al. (alone or in any combination) because of their 
dependency from amended independent Claims 1, 9, 12, and 19, for the reasons set forth above, as 
5 well as other elements these claims add in combination to their base claim. 

All of the pending claims, i.e., claims 1 through 29, are in condition for allowance 
and such favorable action is earnestly solicited. 

If any outstanding issues remain, or if the Examiner has any further suggestions for 
expediting allowance of this application, the Examiner is invited to contact the undersigned at the 
10 telephone number indicated below. 

The Examiner's attention to this matter is appreciated. 

Respectfully submitted, 
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Date: March 31, 2003 



Kevin M. Mason 
Attorney for Applicant(s) 
Reg. No. 36,597 
Ryan, Mason & Lewis, LLP 
1300 Post Road, Suite 205 
Fairfield, CT 06430 
(203) 255-6560 
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VERSION MARKED TO SHOW ALL CHANGES 

IN THE CLAIMS: 

Please amend the claims as indicated below: 

5 

1 . (Amended) A method for analyzing at least one gateway in a network, said at least 
one gateway having a packet filtering configuration file including a plurality of rules, said network 
having a plurality of addresses, said method comprising the steps of: 

generating a gateway-zone graph that models said network based on said packet 
1 0 filtering configuration file , said gateway-zone graph having at least one gateway node corresponding 
to said at least one gateway and at least two zone nodes, wherein said at least one gateway is a packet 
filtering machine and each of said zone nodes correspond to a partitioned collection of said 
addresses created by said at least one gateway; 

receiving a query inquiring whether one or more given services are permitted between 
15 at least one source address and at least one destination address; and 

evaluating said query against each of said rules associated with each gateway node in 
said gateway-zone graph that is encountered between said at least one source address and said at least 
one destination address. 

20 2. (Unamended) The method of claim 1 , wherein said rules are expressed as rule-base 

objects. 

3. (Unamended) The method of claim 1, wherein said gateway-zone graph is derived 
from a network topology file. 

25 

4. (Unamended) The method of claim 1 , wherein said query includes a wildcard for at 
least one of said service, source address or destination address. 

5 . (Unamended) The method of claim 1 , further comprising the step of determining a 
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portion of said one or more given services that are permitted between at least one source address and 
at least one destination address. 

6. (Unamended) The method of claim 1, further comprising the step of transforming 
5 said packet filtering configuration files into a table of logical rules that are processed during said 

evaluating step. 

7. (Unamended) The method of claim 1, wherein said query consists of a source host- 
group, a destination host-group, and a service host-group. 

10 

8. (Unamended) The method of claim 1, wherein said query specifies a location where 
packets are to be inserted into the network that is different from a source address. 

9. (Amended) A method of modeling a network having a plurality of gateway devices, 
15 comprising the steps of: 

identifying each gateway device in said network having a packet-filtering rule-base 
and each zone in said network defined by said gateway devices; and 

generating a gateway-zone graph that models said network based on said packet- 
filtering rule-base , said gateway-zone graph having a gateway node corresponding to each of said 
20 gateway devices and a zone node corresponding to each of said zones. 

10. (Unamended) The method of claim 9, wherein said gateway-zone graph is derived 
from a network topology file. 

25 11. (Unamended) The method of claim 9, further comprising the step of transforming 

said packet-filtering rule-base into a table of logical rules. 

12. (Amended) An apparatus for analyzing at least one gateway in a network, said at 
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least one gateway having a packet filtering configuration file including a plurality of packet filtering 
rules, said network having a plurality of addresses, said tool comprising: 

a user interface for receiving a query inquiring whether one or more given services are 
permitted between at least one source address and at least one destination address, wherein each of 
5 said source addresses and said destination addresses correspond to one of said zones; and 

a user interface for indicating a portion of said one or more given services that are 
permitted between a portion of said at least one source address and a portion of said at least one 
destination address, said portions obtained by analyzing a gateway-zone graph that models said 
network based on said packet filtering configuration file with at least one gateway node 
10 corresponding to said at least one gateway and at least two zone nodes, wherein each of said zone 
nodes correspond to a partitioned collection of said addresses created by said at least one gateway. 

13. (Unamended) The method of claim 12, wherein said rules are expressed as rule- 
base objects 

15 

14. (Unamended) The method of claim 12, wherein said gateway-zone graph is 
derived from a network topology file. 

15. (Unamended) The method of claim 12, wherein said query includes a wildcard for 
20 at least one of said service, source address or destination address. 

16. (Unamended) The method of claim 12, wherein said packet filtering configuration 
files are expressed as a set of logical rules. 

25 17. (Unamended) The method of claim 12, wherein said query consists of a source 

host-group, a destination host-group, and a service host-group. 

18. (Unamended) The method of claim 12, wherein said user interface allows a user 
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to specify a location where packets are to be inserted into the network that is different from a source 
address. 

19. (Amended) An apparatus for analyzing at least one gateway in a network, said at 
5 least one gateway having a packet filtering configuration file including a plurality of rules, said 
network having a plurality of addresses, said tool comprising: 

a memory for storing computer readable code; and 

a processor operatively coupled to said memory, said processor configured to: 

generate a gateway-zone graph that models said network based on said packet filtering 
10 configuration file , said gateway-zone graph having at least one gateway node corresponding to said 
at least one gateway and at least two zone nodes, wherein said at least one gateway is a packet 
filtering machine and each of said zone nodes correspond to a partitioned collection of said 
addresses created by said at least one gateway; 

receive a query inquiring whether one or more given services are permitted between at 
15 least one source address and at least one destination address; and 

evaluate said query against each of said rules associated with each gateway node in 
said gateway-zone graph that is encountered between said at least one source address and said at least 
one destination address. 

20 20. (Unamended) The tool of claim 19, wherein said rules are expressed as rule-base 

objects 

21. (Unamended) The tool of claim 19, wherein said gateway-zone graph is derived 
from a network topology file. 

25 

22. (Unamended) The tool of claim 19, wherein said query includes a wildcard for at 
least one of said service, source address or destination address. 
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23. (Unamended) The tool of claim 19, further comprising the step of determining a 
portion of said one or more given services that are permitted between at least one source address and 
at least one destination address. 

5 24. (Unamended) The tool of claim 19, further comprising the step of transforming 

said packet filtering configuration files into a table of logical rules that are processed during said 
evaluating step. 

25. (Unamended) The tool of claim 19, wherein said query consists of a source host- 
10 group, a destination host-group, and a service host-group. 

26. (Unamended) The tool of claim 19, wherein said query specifies a location where 
packets are to be inserted into the network that is different from a source address. 

15 27. (Amended) A computer readable medium having computer readable program 

code means embodied thereon, said computer readable program code means analyzing at least one 
gateway in a network, said at least one gateway having a packet filtering configuration file including 
a plurality of rules, said network having a plurality of addresses, said computer readable program 
code means comprising: 

20 a step to generate a gateway-zone graph that models said network based on said 

packet filtering configuration file , said gateway-zone graph having at least one gateway node 
corresponding to said at least one gateway and at least two zone nodes, wherein said at least one 
gateway is a packet filtering machine and each of said zone nodes correspond to a partitioned 
collection of said addresses created by said at least one gateway; 

25 a step to receive a query inquiring whether one or more given services are permitted 

between at least one source address and at least one destination address; and 

a step to evaluate said query against each of said rules associated with each gateway 
node in said gateway-zone graph that is encountered between said at least one source address and 
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said at least one destination address. 

28. (Amended) A system for modeling a network, comprising: 
a memory for storing computer readable code; and 

5 a processor operatively coupled to said memory, said processor configured to: 

identify each gateway device in said network having a packet-filtering rule-base and 
each zone in said network defined by said gateway devices; and 

generate a gateway-zone graph that models said network based on said packet- 
filtering rule-base , said gateway-zone graph having a gateway node corresponding to each of said 
10 gateway devices and a zone node corresponding to each of said zones. 

29. (Amended) A computer readable medium having computer readable program 
code means embodied thereon, said computer readable program code means comprising: 

a step to identify each gateway device in a network having a packet-filtering rule-base 
15 and each zone in said network defined by said gateway devices; and 

a step to generate a gateway-zone graph that models said network based on said 
packet-filtering rule-base , said gateway-zone graph having a gateway node corresponding to each of 
said gateway devices and a zone node corresponding to each of said zones. 

20 



15 



